Graduate Course on Computer Security Lecture 2: Shared-Key Cryptography Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita’ di Udine, Italy December 3, 2001 Outline • Goals of cryptography • History • Symmetric ciphers Goals History Shared-Key Attacks Block C. Stream C. DES Attacks Block ciphers Stream ciphers Data Encryption Standard (DES) • What is a secure cipher? Secure C. Computer Security: 2 – Shared-Key Cryptography 2 Confidentiality Goals History Implement a virtual trusted channel over an insecure medium Shared-Key Attacks Block C. Stream C. DES E D Secure C. Computer Security: 2 – Shared-Key Cryptography 3 Insecure Channels External observer can Goals History Shared-Key Attacks • Read traffic • Inject new traffic • Erase traffic … sometimes • Modify traffic … sometimes Block C. Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 4 Classical Goals of Cryptography Encrypted message (ciphertext) Encryption E Goals History Message (cleartext, plaintext) Decryption D key Shared-Key Message (cleartext, plaintext) Attacks Block C. Stream C. DES E, D realize a virtual trusted channel, given key Secure C. Computer Security: 2 – Shared-Key Cryptography 5 Modern Cryptography Not just about confidentiality! • Integrity Digital signatures Hash functions • Fair exchange Goals History Shared-Key Attacks Block C. Stream C. DES Contract signing • Anonymity Electronic cash Electronic voting •… Secure C. Computer Security: 2 – Shared-Key Cryptography 6 A Brief History of Cryptography • ~2000 years ago: Substitution ciphers • A few centuries later: Permutation ciphers Goals History Shared-Key Attacks Block C. Stream C. DES • Renaissance: Polyalphabetic ciphers • 1844: Mechanization • 1976: Public-key cryptography Secure C. Computer Security: 2 – Shared-Key Cryptography 7 A → C B → E D → F … X → A Y → B Z → C Caesar’s cipher: Substitution Ciphers Replace each letter with another • Key: substitution table • How to break it? Brute force? 26! possibilities (= 4x1026) Count the frequencies of letters, pairs, … Goals History Shared-Key Attacks Block C. Stream C. DES Secure C. Arabs had tabulated the Koran by 1412 Ciphertext is enough: ciphertext-only attack • Example: QVAQBCWZQRLWDVEFW IAMINDECIPHERABLE Computer Security: 2 – Shared-Key Cryptography A B C D E F G → → → → → → → V E Z C W G O H I J K L M N → → → → → → → L Q N H F A B O P Q R S T U → → → → → → → S R I D U Y K V W X Y Z → → → → → X M T J P 8 Permutation Ciphers k= 1 2 3 4 5 3 5 4 1 2 Switch letters around by a permutation Goals • Example: HELLOWORLD → LOLHERDLWO • Key: permutation • Breakable with ciphertext-only attack History Shared-Key Attacks Block C. Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 9 Renaissance Ciphers Use message and key letters for cipher • Key: a word (CRYPTO) • Example: WHATANICEDAYTODAY + CRYPTOCRYPTOCRYPT (mod 26) Goals History Shared-Key Attacks Block C. Stream C. DES ZZZJUCLUDTUNWGCQS • Polyalphabetic cipher: Encryption of letter is context-dependent • Seed of modern cryptography Secure C. Computer Security: 2 – Shared-Key Cryptography 10 The Enigma Mechanization • 1844: invention of telegraph Beginning of civilian crypto • Rotor machines Key: initial position of rotors Goals History Shared-Key Attacks Block C. Stream C. DES Culminate in WW II • 1975: DES 1996-2000 AES • 1976: Public key cryptography We will examine in some detail Secure C. Computer Security: 2 – Shared-Key Cryptography 11 Symmetric Ciphers Encryption box M Goals History Shared-Key Decryption box Encrypted message (ciphertext) E Message (cleartext) X X k Secret key Attacks D M Message (cleartext) Block C. Stream C. DES Secure C. Dk(Ek(m)) = m Computer Security: 2 – Shared-Key Cryptography 12 Properties of a Good Cipher E, D : {0,1}n x {0,1}l → {0,1}n • Dk(Ek(m)) = m For every k, Ek is an injection with inverse Dk Goals History Shared-Key Attacks Block C. Stream C. DES Secure C. • Ek(m) is easy to compute, given m and k • Dk(x) is easy to compute, given x and k Polynomial in max{n,l} - often linear • If x = Ek(m), it is hard to find m without k Exponential in min{n,l} Computer Security: 2 – Shared-Key Cryptography 13 Open Design Kerchoff’s Principle (1883) The security of a cryptosystem must not depend on keeping the algorithm secret Goals History Shared-Key Attacks Block C. Stream C. DES No security by obscurity • Better Lots of smart but innocuous people dissect it Than a single smart malicious Secure C. Computer Security: 2 – Shared-Key Cryptography 14 Attack Models Random x Goals History Shared-Key Attacks Ek(m) m, x Ciphertext Only Chosen Random Ek(m) m, x Chosen Plaintext Known Plaintext Chosen Dk(x) x, m Known Plaintext Block C. Stream C. DES Secure C. Good ciphers resist all attack models Computer Security: 2 – Shared-Key Cryptography 15 Successful Attacks Decrypt future messages coded with k • Recover k Hard Goals History Shared-Key Attacks Block C. Stream C. • Often not needed! Exploit properties of the cipher See Lecture 5 (WEP) DES Secure C. Computer Security: 2 – Shared-Key Cryptography 16 Differential Power Analysis on DES Sneaky Attacks 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Detail: Round 2 • Obtain the key somehow Round 3 From http://www.cryptography.com/dpa/technical Network sniffers, worms, backup tapes, … Blackmail, bribery, torture, … Be careful! Goals History Shared-Key Attacks Block C. Stream C. DES Secure C. • Side-channel cryptanalysis Power consumption Encryption time Radiation Better implementation ⇒ off-peak computation ⇒ random noise ⇒ physical shielding and design Computer Security: 2 – Shared-Key Cryptography 17 Encrypting Long messages Most algorithms operate on fixed sizes E.g. 64 bits for DES • Block ciphers Slice m into m1, …, mn Goals History Shared-Key Attacks Block C. Stream C. DES Add padding to last block Use Ek to produce x1, …, xn Use Dk to recover m1, …, mn • Stream ciphers Rely on pseudo-random sequence Secure C. Computer Security: 2 – Shared-Key Cryptography 18 Electronic Codebook Mode – ECB • Any identical block encrypted identically m: • Lots of ciphertext with the same k • Dictionary attack Goals History Shared-Key Attacks Block C. n bits Ek … Ek x: … n bits Ek … n bits n bits Attacker records blocks Substitute them back when appropriate Encryption guarantees secrecy, not integrity Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 19 Exclusive OR Fundamental operation of many ciphers Goals History Shared-Key Attacks y z y⊕z 0 0 0 0 1 1 1 1 0 1 0 1 • Properties y⊕y=0 y⊕0=y y⊕1=y y⊕z⊕z=y Block C. Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 20 Cipher Block Chaining – CBC • Encryption m: x1 = Ek(m1 ⊕ IV) xi = Ek(mi ⊕ xi-1) • Decryption Goals History Shared-Key Attacks Block C. Stream C. DES n bits n bits … IV Ek Initialization Vector m1 = Dk(x1) ⊕ IV mi = Dk(xi) ⊕ xi-1 Ek … Ek … x: n bits n bits • Widely used E.g IPSec Secure C. Computer Security: 2 – Shared-Key Cryptography 21 Output Feedback Mode – OFB • Encryption m: xi = mi ⊕ Ek(IV)i • Decryption Goals mi = xi ⊕ Dk n bits n bits … Ek Ek … Ek IV (IV)i Initialization Vector History … x: n bits n bits Shared-Key Attacks Block C. Stream C. NB: encryption is never applied to m DES Secure C. Computer Security: 2 – Shared-Key Cryptography 22 One-Time Pad Goals History Shared-Key Attacks Block C. Stream C. DES Secure C. • • • • Dk(x) = x ⊕ k Ek(m) = m ⊕ k Requires |m| = |k| Very fast Perfect secrecy Prob[guessing m] = Prob[guessing m|x] • k should never be reused again! x1 = m1 ⊕ k x2 = m2 ⊕ k x 1 ⊕ x 2 = m1 ⊕ m2 • k very large for long messages How to distribute it? Computer Security: 2 – Shared-Key Cryptography 23 Pseudo-Random Bit Generators • Deterministic functions RNG : {0,1}n → {0,1}∞ • Stretch fixed-size seed to an unbounded sequence that looks random Goals History Shared-Key Attacks Block C. Stream C. • Computable approximation of one-time pad Example: i := 0 i := 0 do forever i := i+1 mod 256 j := j+s[I] mod 256 swap s[i],s[j] t := s[i]+s[j] mod 256 output s[t] Seed: initial value of s Size of state: (2256)256 • Example: RC4 DES Secure C. Computer Security: 2 – Shared-Key Cryptography 24 Stream Ciphers One-time pad using a RNG • Use k as seed? Ek(m) = m ⊕ RNG(k) Reuse problem! Goals History Shared-Key Attacks Block C. Stream C. DES • Typical usage (e.g., with DES) Ek(m) = DESk(s) , m ⊕ RNG(s) strong fast Chose new s each time Secure C. Computer Security: 2 – Shared-Key Cryptography 25 DES - Data Encryption Standard [NIST/IBM/NSA, released 1975] key • Message blocks: 64 bits • Keys: 56 bits 56 Cleartext block 64 DES 64 Ciphertext block • Speed Software: 43,000 block/sec ~ 2.7 Mbit/sec Goals History Shared-Key Attacks Block C. Stream C. DES Measured on an old 80486 at 66MHz OK for files and web pages Too slow for sound and video Hardware: 16.8 million block/sec ~ 1 Gbit/sec High speed Ethernet: 100 Mbit/sec Modem: 56 Kbit/sec Secure C. Computer Security: 2 – Shared-Key Cryptography 26 Feistel Networks Goals History Shared-Key Attacks Li = Ri-1 Ri = Li-1 ⊕ fi(Ri-1) Block C. Stream C. DES Round 1 R0 : ⊕ f1 Round 2 L1 : R1 : ⊕ f2 … Round k-1 • Arbitrary functions • Not necessarily invertible n bits L0 : Lk-2 : Rk-2 : ⊕ Lk-1 : Round k f1, …, fk : {0,1}n → {0,1}n n bits Rk-1 : ⊕ Lk : fk-1 fk Rk : Secure C. Computer Security: 2 – Shared-Key Cryptography 27 Inverting a Feistel Network Theorem L0 : For any f1, …, fk : {0,1}n → {0,1}n, a Feistel network computes a permutation π : {0,1}n → {0,1}n Goals History Inverse: ⊕ Block C. Stream C. DES Secure C. R1 : ⊕ Feistel networks convert generic functions into permutations Computer Security: 2 – Shared-Key Cryptography f2 … Li-1 = Ri ⊕ fi(Li) Ri-1 = Li f1 L1 : Lk-2 : Rk-2 : ⊕ Shared-Key Attacks R0 : Lk-1 : Rk-1 : ⊕ Lk : fk-1 fk Rk : 28 Inside DES cleartext DES is a Feistel network with Goals History Shared-Key Attacks Block C. Stream C. DES 16 rounds 64 bit cleartext blocks 56 bits key f1, …, f16 derived from key Initial permutation π (public) 64 π key 56 64 16-round Feistel Network 64 Decryption Apply f16, …, f1 (in reverse order) Same chip π-1 64 ciphertext Secure C. Computer Security: 2 – Shared-Key Cryptography 29 The Functions fi 48 bits x fi(x) = F(x, ki) • ki derived from k ki 32 r 56 bits 48 48 Public key schedule 48 • F: {0,1}32 x {0,1}48 → {0,1}32 is public Goals History Shared-Key Attacks Block C. Stream C. DES Secure C. 32 bits S1 48 bits ½ block x expanded to x’ Public replicator r 6 6 bits → 4 bits S-boxes Sj are public … where the magic happens Rationale was kept secret Final permutation π’ is public 4 6 S2 4 6 S3 4 6 6 S4 S5 4 4 6 S6 4 6 S7 4 6 S8 4 32 π’ 32 F(x, ki) Shuffles input for next round Computer Security: 2 – Shared-Key Cryptography 30 Attacks on DES • Exhaustive search Given plaintext m and ciphertext x, with high probability there is a single key k s.t. x = DES(m,k) Trying 106 keys/sec, it takes 2,000 years Goals History Shared-Key Attacks Block C. Stream C. DES Secure C. • However … 1993, $106 homemade supercomputer breaks DES in 7 hours (CPA) • More sophisticated attacks Use properties (e.g. DES(m,k) = DES(m,k)) Linear / differential crypto-analysis Computer Security: 2 – Shared-Key Cryptography 31 Avoiding Exhaustive Search–3DES DES is not a group Given k1, k2, with high probability there is no k3 s.t. Ek1(Ek2(m)) = Ek3(m) for every m Goals History 3DESk1,k2(m) = Ek1(Dk2(Ek1(m))) Shared-Key Attacks Block C. Stream C. DES • Key length: 112 bits • Very popular DES encryption DES decryption Secure C. Computer Security: 2 – Shared-Key Cryptography 32 How about a 2DES? 2DESk1,k2(m) = Ek1( Ek2(m)) ?? • Meet-in-the-middle attack! History Shared-Key Attacks Block C. Stream C. DES Secure C. E … Goals m X2 X2 56 =? m1 m2 … X1 D m2 56 X For key length n, total work is “only” 2n + 2n = 2n+1 Try all possible keys • Effective key length is just 57 bits! • Applies to any encryption algorithm Computer Security: 2 – Shared-Key Cryptography 33 DESX DES encryption DESXk1,k2,k3(m) = k1 ⊕ Ek2(m ⊕ k3) • Key length: 56 + 2*64 = 184 bits • However, effective key length is only about Goals 100 bits History Shared-Key Attacks Block C. Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 34 AES – a Successor to DES Advanced Encryption Standard • 1996: NIST issues public call for proposal Goals History Shared-Key Attacks Block C. Stream C. DES Secure for next 50-100 years Block cipher faster than 3DES Variable key lengths (128, 192, 256, … bits) Open design • 15 algorithms submitted Public (and private) crypto-analysis for 4 years 5 finalists Secure C. Computer Security: 2 – Shared-Key Cryptography 35 Oct. 2000: AES Contest Winner Rijndael, by J. Daemen and V. Rijmen Goals History Shared-Key Attacks • Fast (~18-20 cycles to encrypt a byte) • Small (98 Kb) • Well understood characteristics Bit operations: ⊕, shift, … • Provides good safety (1.33 safety factor) Block C. Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 36 When is a Cipher Secure? m Ek(_) Goals History x m Ek(0) x Shared-Key Attacks Block C. Stream C. DES Secure C. Polynomial adversary cannot tell a real encryption box from a fake one Computer Security: 2 – Shared-Key Cryptography 37 Formal Definition Let E: {0,1}n x {0,1}l → {0,1}n A(x ↔ m) = 1 iff x = Ek(m) A algorithm polynomial in key length l xm = Ek(m) Goals History Shared-Key Attacks Block C. Stream C. DES E is a secure encryption scheme if ∀ polynomial p(_) ∃ L s.t. ∀ l > L ∀ k ∈ {0,1}l Pr[A(xm ↔ m) = 1] - Pr[A(x0 ↔ m) = 1] < 1/p(l) Secure C. Computer Security: 2 – Shared-Key Cryptography 38 Readings • Andrea Sgarro, Codici Segreti, 1989 “The comprehensive History of Secret Communication from Ancient Times to the Internet” • David Kahn, The Code-Breakers, 1996 Goals History Shared-Key Attacks • A. Menezes, P. van Oorschot and S. Vanstone, The Handbook of Applied Cryptography, 1996 Block C. Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 39 Exercises for Lecture 2 • Find a way to measure the redundancy in the ASCII rendering of English (or Italian) text • Prove the invertibility of a Feistel network Goals History Shared-Key Attacks Block C. Stream C. DES • Why is 3DES immune from the meet-inthe-middle attack? Can you explain why 3DES uses only 2 keys? What is the cost of breaking y iterated encryptions with different keys? Secure C. Computer Security: 2 – Shared-Key Cryptography 40 Next … • Public-Key Cryptography Goals History Shared-Key Attacks Block C. Stream C. DES Secure C. Computer Security: 2 – Shared-Key Cryptography 41